Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stack-buffer-overflow in put_qpel_fallback when decoding file #241

Closed
leonzhao7 opened this issue Dec 24, 2019 · 3 comments
Closed

stack-buffer-overflow in put_qpel_fallback when decoding file #241

leonzhao7 opened this issue Dec 24, 2019 · 3 comments

Comments

@leonzhao7
Copy link

stack-buffer-overflow in put_qpel_fallback when decoding file

I found some problems during fuzzing

Test Version

dev version, git clone https://github.com/strukturag/libde265

Test Environment

root@ubuntu:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial

root@ubuntu:# uname -a
Linux ubuntu 4.15.0-45-generic #48
16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Test Configure

./configure
configure: ---------------------------------------
configure: Building dec265 example: yes
configure: Building sherlock265 example: no
configure: Building encoder: yes
configure: ---------------------------------------

Test Program

dec265 [infile]

Asan Output

root@ubuntu:~# ./dec265 libde265-put_qpel_fallback-stack_overflow.crash
WARNING: pps header invalid
WARNING: CTB outside of image area (concealing stream error...)
WARNING: pps header invalid
WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
WARNING: pps header invalid
WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
=================================================================
==91107==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffebaa90b7f at pc 0x00000043836d bp 0x7ffebaa8e510 sp 0x7ffebaa8e500
READ of size 2 at 0x7ffebaa90b7f thread T0
    #0 0x43836c in void put_qpel_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, short*, int, int, int) /root/src/libde265/libde265/fallback-motion.cc:520
    #1 0x433c33 in put_qpel_1_3_fallback_16(short*, long, unsigned short const*, long, int, int, short*, int) /root/src/libde265/libde265/fallback-motion.cc:646
    #2 0x52c405 in acceleration_functions::put_hevc_qpel(short*, long, void const*, long, int, int, short*, int, int, int) const ../libde265/acceleration.h:338
    #3 0x52d7d6 in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /root/src/libde265/libde265/motion.cc:156
    #4 0x51f6f2 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /root/src/libde265/libde265/motion.cc:376
    #5 0x52b8f9 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/motion.cc:2107
    #6 0x478f4a in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/slice.cc:4137
    #7 0x47a704 in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4492
    #8 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
    #9 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
    #10 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
    #11 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
    #12 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
    #13 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
    #14 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
    #15 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
    #16 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
    #17 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
    #18 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
    #19 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
    #20 0x7fd98d83582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #21 0x402b28 in _start (/root/dec265+0x402b28)

Address 0x7ffebaa90b7f is located in stack of thread T0 at offset 9151 in frame
    #0 0x52cf34 in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /root/src/libde265/libde265/motion.cc:49

  This frame has 2 object(s):
    [32, 9120) 'mcbuffer'
    [9152, 14832) 'padbuf' <== Memory access at offset 9151 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/src/libde265/libde265/fallback-motion.cc:520 void put_qpel_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, short*, int, int, int)
Shadow bytes around the buggy address:
  0x10005754a110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005754a120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005754a130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005754a140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005754a150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10005754a160: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2[f2]
  0x10005754a170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005754a180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005754a190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005754a1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005754a1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==91107==ABORTING

POC file

libde265-put_qpel_fallback-stack_overflow.zip
libde265-put_qpel_fallback-stack_overflow2.zip
password: leon.zhao.7

CREDIT

Zhao Liang, Huawei Weiran Labs

@coldtobi
Copy link

According to Debian this is CVE-2020-21601

@coldtobi
Copy link

coldtobi commented Jan 22, 2023

The poc is no longer triggering with the state in the master branch, as of today at
commit c96962c, I was bisecting to find when the poc
started to no longer trigger.

The test were commited on Debian unstable, gcc (Debian 12.2.0-14) 12.2.

Methology:

Starting point for all bisects were commit c43f2f8 (selected, as this is around the time where the CVEs were reported)

commit c43f2f8cd674bc7c78951b279ca0b1f883e1f276 (HEAD)
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Thu Dec 19 11:04:40 2019 +0100

    increase version number to v1.0.4

Bisecting is done using, so that git will report the first "good" commit.
# git bisect start --term-new=fixed --term-old=unfixed

Bisecting is done using the CMake build system, using
# cmake ../libde265 -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Debug

The pocs -- taken from the upstream issues (renamed for convience, so that the link to the CVE/issue is in the filename)
The test was done with:
./dec265/dec265 -q $POC

CVE-2020-21601-issue241-libde265-put_qpel_fallback-stack_overflow.crash

CVE-2020-21601-issue241-libde265-put_qpel_fallback-stack_overflow.crash2

(both pocs have the same result)

3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 is the first fixed commit

commit a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Tue Feb 23 15:11:09 2021 +0100

    return error when PCM bits parameter exceeds pixel depth (#225)

 libde265/de265.cc |  2 ++
 libde265/de265.h  |  3 ++-
 libde265/sps.cc   | 10 ++++++++++
 3 files changed, 14 insertions(+), 1 deletion(-)
git describe --contains f538254e4658ef5ea4e233c2185dcbfd165e8911
v1.0.9~3^2~6

@farindk
Copy link
Contributor

farindk commented Jan 24, 2023

Thanks @leonzhao7 and @coldtobi

@farindk farindk closed this as completed Jan 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants